Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Paul Jones:
PSR-7 and Session Cookies
Apr 12, 2016 @ 13:27:06

In this post to his site Paul Jones makes some suggestions about how to handle session cookies (PHP's default session handling mechanism) and requests/responses using the PSR-7 structure.

One of the great things about PHP is its session handling capabilities. One call to session_start() and a huge amount of heavy lifting is done for you. It’s a great aid when writing page scripts.

However, as you start to need finer control over the HTTP response in your project, some of the automatic session behaviors begin to get in the way. In particular, when you are using PSR-7 to build your HTTP response, you realize that session_start() and session_regenerate_id() both automatically do the equivalent of calling setcookie() to write headers directly to the output. This means you cannot buffer those calls into the Response object for later sending.

How then can we use PHP’s session handling, when we want finer control over when and how cookies get sent?

He suggests that you do two things. First, disable PHP itself from automatically sending the cookie via some ini_set calls. The second is to do the session ID comparison manually and perform the related action (either allowing or sending a new ID on failure). He includes example code showing it in action and also mentions some of the shortcomings of the approach around cache and limiter headers.

tagged: psr7 session cookie request response header disable tutorial

Link: http://paul-m-jones.com/archives/6310

Jeff Geerling:
Streaming PHP - disabling output buffering in PHP, Apache, Nginx, and Varnish
Apr 06, 2016 @ 13:45:27

In a recent post to his site Jeff Geerling shows you how to disable the output buffering that PHP includes and create "streaming PHP" code similar to Drupal's recently introduced BigPipe handling.

For the past few days, I've been diving deep into testing Drupal 8's experimental new BigPipe feature, which allows Drupal page requests for authenticated users to be streamed and loaded in stages—cached elements (usually the majority of a page) are loaded almost immediately, meaning the end user can interact with the main elements on the page very quickly, then other uncacheable elements are loaded in as Drupal is able to render them.

[...] BigPipe takes advantage of streaming PHP responses (using flush() to flush the output buffer at various times during a page load), but to ensure the stream is delivered all the way from PHP through to the client, you need to make sure your entire webserver and proxying stack streams the request directly, with no buffering.

He decided to try out different configurations to see if he could reproduce the same thing outside of Drupal and - good news, everyone - he found a reliable way. He starts with a basic procedural script that emulates BigPipe and calls a flush inside a loop to push the latest output to the waiting client. While this cooperates on the command line the browser doesn't cooperate the same way. A small tweak helps it work, so he shows how to reproduce this reliably across the full stack - Nginx, Apache and Varnish.

He ends with a quick warning for those using VMWare/VirtualBox about some oddness he experienced in buffering the responses and includes a way to test if it's your script or the VM causing the trouble.

tagged: stream output disable buffering apache nginx varnish tutorial

Link: http://www.jeffgeerling.com/blog/2016/streaming-php-disabling-output-buffering-php-apache-nginx-and-varnish

Zend Developer Zone:
Z-Ray Tip #4: Getting Rid of It!
Jan 29, 2016 @ 10:44:14

On the Zend Developer Zone they've posted the fourth part in their series of tips around using the Z-Ray profiling tool in your PHP applications. In this fourth tip they show you how to "get rid of it" in certain parts of your application.

Well, while Z-Ray is a great friend to have when developing your apps, there are just some parties you don’t want it to show up at. You might be using PHP scripts for accessing static pages. Or, you might not want Z-Ray to be displayed for one specific request. In production, you most definitely don’t want Z-Ray popping up for users using your app!

There are numerous ways to disable Z-Ray both in development and in production to make sure your development workflow is not interrupted and your live apps are not affected. Here are a few of them.

They include a few different ways to disable the tool including the use of a function call in the code (zray_disable), using a header in the HTTP request and, naturally, from the Z-Ray toolbar itself. They also talk about setting it up to be removed for production in one of two modes, either selective (only showing for certain requests) and completely disabled.

tagged: zray tip disable development production api get header selective

Link: http://devzone.zend.com/7149/z-ray-tip-4-getting-rid-of-it/

Joshua Thijssen:
Debugging Symfony components
Jan 02, 2015 @ 09:44:53

Joshua Thijssen has a quick new post today talking about debugging Symfony components, sharing a simple but useful hint.

Don’t you hate it when you are stepping through your debugger during a Symfony application debug session, and all of a sudden it cannot find files anymore as Symfony uses code located in the bootstrap.php.cache instead of the actual Symfony component. Symfony creates these cache-classes in order to speed up execution, but it makes that xdebug cannot find the correct code to step through anymore.

He found a solution in a few changes to his "app_dev.php" bootstrap file to alter the location of the autoloader and disable cache loading. This prevents issues with Symfony trying to access cached versions and use the actual files and locations, making debuggers much more happy.

tagged: debug symfony component tip cache disable dev

Link: https://www.adayinthelifeof.nl/2014/12/31/debugging-symfony-components/

Anthony Ferrara:
What About Garbage?
Dec 03, 2014 @ 13:33:44

In his latest post Anthony Ferrara looks at a recent change in the Composer dependency management tool involving a major speed boost, just from disabling the garbage collection.

If you've been following the news, you'll have noticed that yesterday Composer got a bit of a speed boost. And by "bit of a speed boost", we're talking between 50% and 90% speed increase depending on the complexity of the dependencies. But how did the fix work? And should you make the same sort of change to your projects? For those of you who want the TL/DR answer: the answer is no you shouldn't.

He talks about what the actual (one line) change was that sped things up but goes on to talk about why doing this isn't necessarily a good thing. He covers how PHP handles variables internally, how it relates to "pointers" and the copy-on-write functionality. He includes code snippets and gives an overview of how each would be handled by the interpreter. Unfortunately, the way PHP handles things, deleting a variable only removes variable reference, not the value, but does decrement the reference count for it. When that hits 0, garbage collection kicks in and removes associated values too.

He talks about a few other kinds of garbage collection (the reference count method is just one of them) and circles back around to how this relates to Composer's functionality. He points out the number of objects created during the dependency resolution process and what can happen when the root buffer, populated with all of these objects, gets too full (hint: garbage collection). He finishes the post talking about how, in Composer's case, the garbage collection change yielded the performance impact it did, but doesn't suggest it for every project. He also makes a few suggestions as to things that could be done to improve PHP's garbage collection handling.

tagged: garbage collection handling composer disable detail

Link: http://blog.ircmaxell.com/2014/12/what-about-garbage.html

XpertDeveloper.com PHP "Magic Quotes" Explained
Sep 15, 2011 @ 11:01:04

If you're relatively new to the PHP world, you may be wondering why there has been so much emphasis put on "magic quotes" in the language's past. If you're not entirely sure what they are (and why to avoid them) take a look at this quick overview from XpertDeveloper.com.

First of let me say that Magic Quotes is deprected from the PHP 5.3 and will be removed completely from the PHP 6. But as a developer you might face a situation when you have to work on application which runs on older version of PHP with some older functionality like rely on Magic Quotes.

They introduce the simple concept behind the magic quotes idea and, thankfully, the settings and code you can use to turn it off. It's been deprecated in PHP 5.3 but some older versions came with it enabled. If you're currently running with it on, it's highly recommended to turn it off and refactor your code accordingly.

tagged: magicquotes disable intorduction addslashes phpini

Link:

Ruslan Yakushev's Blog:
ASP.NET vulnerability affecting PHP sites on IIS
Sep 23, 2010 @ 08:50:46

As Ruslan Yakushev points out in this new blog entry, the same security issue that's effecting ASP.NET pages running on IIS web servers can still open up PHP scripts running on the same server.

Microsoft has recently released a Security Advisory about a security vulnerability in ASP.NET. This vulnerability exists in all versions of ASP.NET. The PHP applications running on IIS are also subject to this vulnerability if ASP.NET is enabled in IIS.

The issue allows attackers to access the contents of various files on the server and could allow them to tamper with the data inside. Ruslan notes that, while Microsoft is coming up with a fix, one of the safest things you can do is either completely disable ASP.NET in the IIS server or use this workaround.

tagged: iis vulnerability aspnet disable workaround security

Link:

Sameer Borate's Blog:
Disabling the silence @-operator in PHP
Jul 06, 2010 @ 08:42:22

As Sameer Borate points out in his latest post to his blog, there's a way to disable that pesky suppression operator (@) in your PHP installation thanks to the scream extension.

PHP supports one error control operator: the at sign (@). When prepended to an expression any error generated by that expression will be ignored. It can also be useful for hiding errors generated by various functions. [...] Although quite useful at some times, using the @-operator can have some annoying side effects.

He shows you how to install the extension on a stock Ubuntu platform (including the PHP packages) and how use the feature in your application by means of a call to ini_set (or, of course, setting it in your php.ini file).

tagged: disable supress operator scream extension

Link:

Derick Rethans' Blog:
Distributions: Please Don't Cripple PHP or Red Hat: Stop Fucking Around
Feb 04, 2009 @ 16:11:11

Derick Rethans has a few choice words for those developing PHP packages for linux distributions out there - don't cripple PHP. His example deals specifically with RedHat and their choices on timezone management.

Red Hat thought it'd be wise to create a patch to use the system provided timezone database instead. We (the PHP development team) thought that to be a bad idea because of several reasons. Among them is that it removes control from PHP's users about which database is, decreased performance, and some missing functionality

He mentions other problems - other issues related to timezone support - that caused them to not accept RedHat's patch to try to "fix" things by disabling the bundled timezone database. He looks at why this is such a bad thing, why it can cause trouble with PHP's date handling and what the future holds for this database support (hint: PHP 5.3 will shake things up).

tagged: redhat distribution package datetime support database disable

Link:

Sebastian Bergmann's Blog:
Global Variables and PHPUnit
Jun 17, 2008 @ 08:49:19

Sebastian Bergmann has a new post today about a feature of the PHPUnit unit testing tool that has the possibility of breaking when objects are introduced - backing up the globals.

It is hard to test code that uses singletons. The same is true for code that uses global variables. Typically, the code you want to test is coupled strongly with a global variable and you cannot control its creation. An additional problem is the fact that one test's change to a global variable might break another test.

You can disable the backup option if you'd like by setting the $backupGlobals option in your test to false. This lets PHPUnit know that you want to leave the globals (and superglobals) alone during the run.

tagged: global variable phpunit unittest backup global superglobal test disable

Link: